Once Human is the centre of a storm of data privacy concerns over a policy line about collecting government ID
Developers Starry Studio insist they haven't broken the law
Free-to-play open world survival shooter Once Human has spent its first week in the wilds weathering complaints about its data collection practices, many of them directed at a line from publisher NetEase's privacy policy in which they state that personal information they receive from you may include "government-issued ID, such as passport information, as required by applicable laws for age verification and correction of personal information".
Following a backlash in the user reviews (the game was Mostly Negative on Steam at launch, but has since risen to Mixed) and on social media, the game's developers Starry Studio have published a blog insisting that they harbour no dark intentions for your personal details - or at least, that they harbour intentions no darker than those of the many other developers who collect your personal information.
You can read NetEase's privacy policy here. The primary bone of contention is the bit directly under "Personal Information we receive from you". This includes "name and contact details", "such as first and last name, title, prefix, email address, telephone number, (instant) messaging account, postal address, date of birth, age, gender, country/region, and government-issued ID, such as passport information, as required by applicable laws for age verification and correction of personal information."
Another thing users have picked up on is that NetEase may (with consent) collect "location information... such as IP geolocation information, cell-ID, and Wi-Fi connection location", by means of third-party services and platforms, who will of course have their own data collection policies. There's a lot more in the doc. If you're uneasy about the game, I encourage you to go through it in full.
Now, here's Starry Studio's post on Steam in response to the privacy concerns. "Once Human takes our users' data privacy very seriously," it reads. "We would only use personal data if we have a legitimate legal basis, such as providing requested services or acting with your expressed consent. We will only use your data lawfully and reasonably and in accordance with local legal compliance requirements, while practicing the data privacy principles such as data minimization, purpose limitation, and transparency. We appreciate and welcome any and all feedback given by our players to help us improve."
The statement notes that if players are worried about NetEase's launcher specifically, they have the option of playing Once Human over Steam or Epic Games Store.
"We sincerely apologize for any confusion or uncertainty experienced by our players," it goes on. "We hope this clarifies the above and please rest assured that we will continue to maintain a transparent, player-friendly gaming environment, not only because it's required by law, but also because it's the right thing to do."
As pointed out by PCGamesN, NetEase are hardly alone in gathering this kind of data. The privacy policy for ZeniMax Media, for example, notes that "in limited circumstances" they may collect your "Social Security Number, driver’s license, precise geolocation, and personal information collected and analyzed concerning a consumer’s health". Blizzard's privacy policy, similarly, specifies that "in some very rare, specific and restricted cases, we may ask you to provide a copy partially obfuscated of a document or government-issued ID to verify your identity, location, and/or account ownership to comply with our legal obligations."
Again - and at the risk of being a brow-beating mollycoddler and trying to set you homework - it's worth reading those documents in full if you have anxieties about how the games in question are handling your info.
As reported by Gamesradar, Jason Thor Hall, a former Blizzard and Amazon developer and nowadays, director of strategy for Offbrand Games, thinks the online reaction to Once Human's privacy policy is "fearmongering". In a Xitter post on Wednesday, he commented that the policy doesn't actively require you to hand over the personal info given under "Name & Contact details".
"The general internet has warped this into a demanded requirement and a privacy issue," Hall wrote. "It's not. These are only sent to the company when required by applicable local laws. This is why it says 'Receive from you' and 'as required by applicable laws'. In some countries government issued ID's are required for live service game access. If you are not in one of these countries you obviously are not asked or required to present those documents."
My fairly unremarkable tl;dr: I think it is generally a bad thing that video games sponge up so much of our personal data, especially in countries whose governments keep their citizens under tight surveillance. Based on my own reading of the Once Human TOS and the commentary above, I do not think that NetEase in particular are doing anything out of the ordinary here.
While many of the concerns I've read about Once Human's data collection seem sincere and substantial, I think there's a touch of sinophobia to a portion of the angry reactions, and an accompanying dismissal of how much of our private lives we've normalised handing over to nice, safe Western companies like Valve and Epic. It would be useful if the furore over Once Human - which, privacy concerns aside, doesn't sound like a brilliant game - lent momentum to a larger conversation about such things.